New Cortex Xpanse features give organizations visibility and control of their attack surfaces to discover, evaluate, and address cyber risks.

**SANTA CLARA, Calif.****,** **Dec. 12, 2022** **/PRNewswire/ —** Cyberattackers today use highly automated methods to quickly find and exploit weaknesses in target organizations — sometimes within minutes of a new vulnerability being disclosed. Most security teams try to find these weaknesses, but because they are doing this with manual tools they quickly fall behind. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, introduced a new Cortex® capability: Xpanse Active Attack Surface Management, or Xpanse Active ASM. This helps security teams not just actively find but also proactively fix their known and unknown internet-connected risks. Xpanse Active ASM equips organizations with automation to give them the edge over attackers.

"While the fundamental need for attack surface management hasn't changed, the threat landscape today is much different. Organizations need an active defense system that operates faster than attackers can," said Matt Kraning, chief technology officer of Cortex for Palo Alto Networks. "As the leader and pioneer in the ASM market, we realize that customers need complete, accurate, and timely discovery and remediation of risky exposures in their internet-connected systems. With Xpanse Active ASM, we give defenders the ability not only to see their exposures instantly but also to shut them down automatically with no human labor required."

Available today, Xpanse Active ASM gives organizations the following tools and capabilities:

*   **Active Discovery**: Attackers use frequent, automated probes to find vulnerable and/or exposed assets, and organizations need tools that allow them to have the same visibility. Active Discovery refreshes its internet-scale database several times a day and uses supervised machine learning to accurately map these vulnerabilities back to an organization. This helps them get an outside-in view of their network — the same view attackers have.
*   **Active Learning**: Xpanse continuously processes discovery data, mapping new systems to the people responsible for each system. Active Learning continuously analyzes and maps the streamed discovery data to understand and prioritize top risks in real time. As a result, customers can stay ahead of attackers by closing down the riskiest exposures quickly.
*   **Active Response**: While instant discovery of vulnerabilities and/or exposures can give security teams a realistic risk picture, merely finding issues isn't enough. Automated remediation is key to staying ahead of attackers, saving response time in the SOC by eliminating the manual step of merely creating a ticket for analysts who then must spend multiple hours of manual effort actually tracking down the owner of the affected system and resolving the vulnerability. True automation is completely solving the end-to-end remediation process without human intervention. A critical new capability for security teams, Active Response includes native embedded automatic remediation capabilities that make use of active discovery data and active learning analysis to automatically shut down exposures before they allow threats into a network. It executes ASM-specific playbooks to triage, deactivate and repair vulnerabilities automatically.

The Xpanse Active Response module includes built-in end-to-end remediation playbooks. These playbooks automatically eliminate critical risks such as exposed Remote Desktop Protocol (RDP) servers and insecure OpenSSH instances without any manual labor.

Following remediation, Active Response automatically validates that remediation was successful by scanning assets, compiling audited actions and placing investigation details into clear dashboards and reports.

Cortex Xpanse is used today by some of the most complex and demanding organizations in the world. Palo Alto Networks recently announced a multiyear deal for Cortex Xpanse to equip the Department of Defense with Internet Operations Management capabilities.

**Availability**

Cortex Xpanse Active ASM is now available globally with full support.

**Additional Resources**

*   Learn more about Xpanse Active ASM.
*   Register for the Xpanse Active ASM online event.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ _the United States_ _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks Inc.

Palo Alto Networks Xpanse Active Attack Surface Management Automatically Remediates Cyber Risks Before They Lead to Cyberattacks

Pulse Connect VPN server software received several updates over the years, and thousands of hosts haven't patched.

Nearly 4,500 Pulse Connect Security SSL virtual private network hosts are running unpatched server software, leaving them open to cyberattacks.

A new analysis from Censys of the Pulse Connect Secure VPN ecosystem of 30,266 hosts found that although several notable flaws have been discovered and patched over the past few years, 4,460 hosts are still running vulnerable versions. Besides Pulse advisories, the Cybersecurity and Infrastructure Security Agency in April 2021 issued an alert that some of the documented Pulse Connect bugs were under active attack, Censys added.

The Censys Pulse Connect report includes a breakdown of the unpatched versions, finding the biggest chunk of vulnerable hosts — 1,033 — is in the US.

Overall, Censys said the team was trying to "... paint a picture of the current state of vulnerable Pulse Connect secure devices that are still running on the Internet," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nearly 4,500 Pulse Connect Secure VPNs Left Unpatched and Vulnerable

Funding and new leadership to drive innovation and growth in cloud-native application resiliency; round led by SKK Ventures with T-Mobile and Telefonica.

**FRAMINGHAM, Mass., Dec. 12, 2022 /PRNewswire-PRWeb/** — Trilio, a leading provider of cloud-native data protection, announced today that it has secured $17 million in funding to drive further innovation and growth in the cloud-native application resiliency market. The company also announced the appointment of enterprise software executive Massood Zarrabian as CEO. Zarrabian was formerly Chairman and CEO of BA Insight.

"Trilio is a trusted partner for organizations that are driving digital transformation leveraging cloud-native technologies," said Massood Zarrabian, CEO of Trilio. "The company has established a leading position in the new growth category of Kubernetes with unique application resiliency technology, strong partnerships and a passionate team. Our goal is to leverage those resources to help customers meet their mandates for multi-cloud application mobility, ransomware protection and compliance with disaster recovery protocols. We're pleased to have the continued confidence of SKK Ventures and added support from leading innovators such as Telefonica and T-Mobile, who are also valued customers."

The company will leverage the capital to increase focus on product development, engineering and customer operations. The additional funding is part of the company’s Series B round and was led by SKK Ventures with participation from T-Mobile Ventures, Wayra Telefónica Innovation, Raiven Capital, Genesis Accel, 406 Ventures and Jack Egan. This brings Trilio's total capital raised to $36 million.

In his most recent role, Zarrabian led BA Insight's transformation and growth into a multi-platform enterprise search software company leading to its acquisition by Upland in 2022. Prior to BA Insight, Zarrabian was President and CEO of OutStart where he established the company as a market leader with hundreds of customers. He also served as President of the eService Division of Broadbase Software, a leading provider of eCRM solutions.

David Safaii, who has been CEO since 2014, has transitioned to the role of Executive Chairman of the Board, focusing on the strategic needs of the organization, including corporate and business development.

"Trilio has earned notable success under David's leadership, including building brand awareness, a strong team of dedicated professionals, and a roster of Tier 1 enterprise-class customers from around the world. His expertise will play a vital role going forward as the executive chairman," said Rob Scott, Member of the Trilio Board of Directors.

Scott continued, "We're equally excited to bring on Massood Zarrabian as CEO. Massood is a seasoned operator with experience in driving and scaling software companies like Trilio to the next level. Massood's track record of building teams, culture, and outcomes makes him a great fit for our organization as we move forward into this next chapter."

Additionally, the company announced Christina Lattuca as CFO and VP of Operations. Lattuca joins Trilio to lead the company's finance, accounting, business intelligence, legal and human resources functions. She was most recently CFO of Cygilant, a leading provider of cybersecurity-as-a-service, prior to its acquisition by SilverSky. She has more than 25 years of financial management expertise developing and implementing financial planning, controls, and reporting for international high-tech companies.

**Investor Quotes**

— Stephen Brackett, President and Managing Member of SKK: "SKK believes in the Trilio mission, and we are encouraged by the company's continued progress in the fast-growing market for cloud-native application resiliency. The growth in the company's technology and partner ecosystem is a strong indicator of how the leadership team has elevated the Trilio brand as both a technology innovator and a trusted go-to-market partner."

— Jeff Pellegrini, VP of Investments, T-Mobile Ventures: "Our enthusiasm for Trilio's technology, product and customer-centric approach is driven not just by the due diligence of an investor but by the intensive research of a customer. T-Mobile did an extensive investigation of the players in this space before selecting TrilioVault as its cloud-native application resiliency service. As a result, we became convinced that backing the company strategically was the right move. We're happy to participate in this funding round and support the company's next phase of innovation and growth."

TrilioVault for Kubernetes is a leading cloud-native data protection platform helping organizations migrate to new cloud infrastructure, recover quickly from ransomware attacks and comply with disaster recovery mandates. Trilio is well-positioned to capitalize on a rapidly growing market for cloud-native management solutions. According to IDC, 70% of all net-new apps in production will be cloud-native by 2024, up from just 10% in 2020. This momentous shift to containerized applications means enterprises need robust and reliable data protection for Kubernetes-based applications.

**Recent Milestones**  
— General availability of TrilioVault for Kubernetes v3.0, including Continuous Restore and Red Hat OpenShift Anywhere support.

— Pay-as-you-go consumption-based billing capability for AWS Marketplace customers using Amazon EKS.

**About Trilio**

Trilio is a leader in cloud-native data protection and management for applications using Kubernetes and OpenStack. Our TrilioVault technology is trusted by cloud architects and DevOps engineers for backup and recovery, migration, ransomware protection and application mobility. Customers in telecom, defense, automotive and financial services leverage TrilioVault to easily migrate to new cloud infrastructure, recover quickly from ransomware attacks and comply with disaster recovery protocols. Trilio.io, Twitter and LinkedIn.

SOURCE: Trilio

Trilio Raises $17M, Appoints Massood Zarrabian as CEO

Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.

Texas this week become the fifth US state to ban the TikTok app on government-owned devices over concerns about the social media app harvesting sensitive data from user devices and potentially making it available to the Chinese government.

The question now is whether private companies will implement similar restrictions on use of the popular social media app on devices that employees use to access enterprise data and applications.

**Unacceptable Risk**

Texas Gov. Greg Abbott on Wednesday said he had ordered all state agencies to ban TikTok on any state-issued devices effective immediately. Abbott said he has also given each state agency until Feb. 15, 2023 to implement their own policies regarding the use of TikTok on personal devices belonging to employees — subject to approval by the Texas Department of Public Safety.

"TikTok harvests vast amounts of data from its users' devices — including when, where, and how they conduct internet activity — and offers this trove of potentially sensitive information to the Chinese government," Abbott said, echoing concerns that many others have expressed recently.

Abbott pointed to China's 2017 National Intelligence Law, which obligates Chinese companies and individuals to assist in state intelligence-gathering activities, and a recent warning from FBI Director Christopher Wray about TikTok's use in influence operations, as reasons for his decision.

Abbott's order came just one day after Maryland Gov. Larry Hogan issued an emergency directive prohibiting the use of TikTok and other Chinese and Russian-influenced products on state-issued devices, citing the "unacceptable" cybersecurity risk they presented to the state.

His order applies to TikTok, Huawei Technologies, ZTE Corp., Tencent Holdings products including WeChat, Alibaba products including AliPay, and Kaspersky. Hogan's directive requires all Maryland state agencies to remove these products from state networks within 14 days and to implement network-based restrictions preventing access to these services.

Like Abbott, Hogan also cited Wray's warning about TikTok presenting a national security threat in his statement, as well as a recent NBC News report about Chinese hackers stealing millions of dollars in COVID-related benefits.

The three other states that have issued similar directives over similar concerns are South Dakota, South Carolina, and Nebraska. In addition, the US Departments of Defense, State, and Homeland Security have all banned TikTok on federally issued devices. This July, members of the Senate Select Committee on Intelligence sent a letter to the chair of the Federal Trade Commission urging the agency to investigate what it claimed were deceptive practices by TikTok with regard to its data privacy practices.

**Concerns Mount Despite TikTok's Assurances**

The growing number of bans on the use of TikTok on state and federal devices and networks is sure to encourage other state governments, federal agencies, and private companies to weigh the security and privacy implications of using the social media app.

In a Senate hearing earlier this year, TikTok COO Vanessa Pappas maintained that TikTok does not operate inside China and the app is not available there. She has described the company as incorporated in the US and compliant with US laws. Though TikTok does have employees based in China, the company has strict access control over what data those employees can access and where TikTok stores the data, Pappas testified. Earlier this year, the company also announced it has launched an initiative called Project Texas designed to bolster confidence in the safeguards the company has put in place and will put in place to protect US user data and national security interests. TikTok now stores 100% of US user data in the US in Oracle's cloud environment and is working with Oracle to implement advanced data security controls, TikTok CEO Shou Zi Chew said at the time.

In an emailed comment to Dark Reading, TikTok spokesperson Jamal Brown expressed disappointment over the recent developments. "We believe the concerns driving these decisions are largely fueled by misinformation about our company," Brown says. "We are happy to continue having constructive meetings with state policymakers to discuss our privacy and security practices. We are disappointed that many state agencies, offices, and universities will no longer be able to use TikTok to build communities and connect with constituents."

Despite such assurances, the fact that a China-based entity called ByteDance Ltd owns TikTok and that the Chinese government owns at least a partial stake in one of its subsidiaries continues to be a major source of concern for many. Recent reports about threat actors using the platform to distribute malware have not helped matters.

"The specific situation with TikTok being based in China and being subject to Chinese law, which can give the Chinese Communist Party (CCP) access to user data, is giving many people pause," says Mike Parkin, senior technical engineer at Vulcan Cyber.

Social media applications like TikTok can be problematic for organizations as well. "They are immensely popular, especially with the generations that have grown up with social media," he says. It’s entirely reasonable that organizations would restrict what apps get installed on their organization-provided devices and recommend their employees don’t install it on any personal systems they use to access enterprise systems, Parkin says.

On devices provided by organizations, a ban on TikTok would be absolutely enforceable, he says. But the same wouldn't be true of personally owned and unmanaged devices, he notes. "The organization can lay out the requirements, but enforcing them becomes much more challenging both ethically and legally," Parkin says.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says the rapid proliferation of BYOD policies and distributed remote work environments has contributed to an exponential increase in risk to endpoints and applications for both public and private sector entities. "This puts organizations in a precarious situation, as they must weigh the convenience and cost-savings of BYOD policies with the significant cybersecurity risk," Tiquet says. "Banning specific apps may seem like a simple and straightforward approach to ensuring security, but with a BYOD policy, it is difficult to enforce."

TikTok Banned on Govt. Devices; Will Private Sector Follow Suit?

MuddyWater joins threat groups BatLoader and Luna Moth, which have also been using Syncro to take over devices.

Iranian-backed threat group MuddyWater has switched up its tactics — it's now using remote administration tool Syncro to take over target devices.

Syncro is a full-featured remote access platform for managed service provider operations. The tool even offers a free 21-day trial.

Prior to this latest campaign, which researchers from Deep Instinct estimate began sometime in September, MuddyWater used a different legitimate remote administration tool called RemoteUtilities.

A new report from Deep Instinct details recent MuddyWater attacks on an Egyptian data hosting company, as well as the Israeli insurance and hospitality industries.

"MuddyWater is not the only actor abusing Syncro," the Deep Instinct team reported. "It has also been observed recently in BatLoader and Luna Moth campaigns."

Deep Instinct provides MuddyWater's indicators of compromise and advises security teams to monitor for abnormal remote desktop applications inside their organizations.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool

Balancing gameplay and security can drive down risks and improve gamers' trust and loyalty.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Ways Gaming Companies Can Battle Cybercrime on Their Platforms

A new report helps companies understand an ever-changing threat landscape and how to strengthen their defenses against emerging cybersecurity trends.

The "Microsoft Digital Defense Report" is a compilation of insights from 43 trillion daily security signals that provides organizations with a high-level picture of the threat landscape and current state of cybersecurity. This annual report aggregates security data from organizations and consumers across the cloud, endpoints, and the intelligent edge to help better predict what attackers will do next.

Keep reading for a high-level overview of our findings, and click here to access the full report.

**The State of Cybercrime**

2022 saw a significant increase in indiscriminate phishing and credential theft to gain information for targeted ransomware, data exfiltration and extortion, and business email compromise attacks. Human-operated ransomware was the most prevalent type of ransomware attack observed, with one-third of targets successfully compromised and 5% ransomed. The evolving cybercrime-as-a-service (CaaS) economy is also a concern, as Microsoft blocked 2.75 million site registrations successfully to get ahead of criminal actors that planned to use them to engage in global cybercrime.

During ransomware recovery engagements, 93% of Microsoft investigations revealed insufficient privilege access and lateral movement controls. The most effective defense against ransomware includes multifactor authentication (MFA), frequent security patches, and zero-trust principles across network architecture.

**The Nature of Nation-State Threats**

Nation-state cyber threat groups have shifted from exploiting the software supply chain to exploiting the IT services supply chain. Oftentimes they target cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors.

Nation-state actors are also getting savvier, pursuing new and unique tactics to deliver attacks and evade detection in response to strengthened cybersecurity postures. Zero-day vulnerabilities are particularly key for initial exploitation. On average, it takes only 14 days for an exploit to become available in the wild after a vulnerability is publicly disclosed. These zero-day exploits are often discovered by other actors and reused broadly in a short period of time, leaving unpatched systems at risk.

**Attacks on Devices and Infrastructure**

Did you know that 68% of "Microsoft Digital Defense Report" respondents believe that adopting Internet of Things/operations technology (IoT/OT) is critical to their strategic digital transformation? Yet 60% of those same respondents recognize that IoT/OT security is one of the least secured aspects of their infrastructure. Attacks against remote management devices are on the rise, with more than 100 million attacks observed in May 2022 — a fivefold increase in the past year.

Accelerating digital transformation has increased the cybersecurity risk to critical infrastructure and cyber/physical systems. Likewise, growing IoT solutions have increased the number of attack vectors and the exposure risk of organizations. While policymakers are seeking to build trust in critical infrastructure cybersecurity through increased regulations, the public and private sector must collaborate to find a balance between compliance and truly effective cybersecurity practices.

**Tackling Cyber Influence Operations**

Democracy needs trustworthy information to flourish, yet we’ve observed a 900% year-over-year increase in the proliferation of deepfakes since 2019. AI-enabled media creation and manipulation make it easier than ever for cybercriminals to create highly realistic synthetic images, videos, audio, and text. This false content can then be optimized and disseminated to target audiences, challenging our collective understanding of the truth.

In response, governments, the private sector, and civil society must work together to increase transparency of these influence campaigns and to expose and disrupt their operations. We recommend implementing strong digital hygiene practices and considering ways to reduce any unintended enabling of cyber influence campaigns by your employees or your business practices. Business should support information literacy campaigns, civic engagement campaigns, and industry-specific counter-influence groups to help defend against propaganda and foreign influence.

**The Path to Cyber Resilience**

Nation-state actors have escalated their use of offensive cyber operations to destabilize governments and impact global trade operations. As these threats increase and evolve, it’s crucial to build cyber resilience into the fabric of the organization.

Basic security hygiene still protects against 98% of attacks, yet many threat actors succeed simply because these foundational security practices have not been followed. In fact, more than 90% of accounts that were compromised by password-based attacks did not have strong authentication practices in place. Organizations should enable MFA, apply zero-trust principles, implement modern anti-malware software, ensure all systems are kept up to date, and protect data by knowing where important information is located and whether the right systems are implemented.

Download the full "Microsoft Digital Defense Report" to better understand today’s cyber threat landscape. For even more details, check out our recent webinar, "Build Cyber Resilience by Leveraging Microsoft Experts' Digital Defense Learnings."

Explore more threat intelligence insights on Microsoft Security Insider.

43 Trillion Security Data Points Illuminate Our Most Pressing Threats

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."

According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.

In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.

"The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware," the report noted.

The Drokbk malware is written in .NET, and it's made up of a dropper and a payload.

Typically, it's used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the report from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

"This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets," says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.

He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It's also a relatively unknown piece of malware.

"There may be organizations out there with this running on their networks right now, undetected," he adds.

Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.

"Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems," Pilling notes.

**Dead-Drop Resolver Technique Offers Flexibility**

The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.

"It also helps the malware blend in by making use of a legitimate service," Pilling says.

**Robust Patching Is Critical Defense Strategy**

Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.

"In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key," he says.

He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.

**Iran-Backed Threat Groups Evolving, Attacks on the Rise**

The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.

"The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity," Pilling explains.

Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

"Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication," he explains.

In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are on the rise. Cobalt Mirage is hardly on its own.

"Over the last two years we've seen multiple group personas emerge — Moses' Staff, Abraham's Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations," Pilling says.

The US Treasury Department has already moved to sanction the Iranian government for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Iranian APT Targets US With Drokbk Spyware via GitHub

A reliance on CPE names currently makes accurate searching for high-risk security vulnerabilities difficult.

In many cases, once a high-risk security vulnerability has been identified in a product, a bigger challenge emerges: how to identify the affected component or product by its assigned name in the National Vulnerability Database (NVD). That's because software products are identified in the NVD with a common platform enumeration (CPE) name, which are assigned by the National Institute of Standards and Technology (NIST), part of the US Department of Commerce.

The NVD uses a CPE to identify hardware and software components based on vendor, product, and version string. When software users want to determine, via the NVD, whether a component of a product they are using has any associated vulnerabilities, they must know the precise assigned CPE name of the component. However, it is often impossible to find a CPE for a particular component, whether they are open source or proprietary.

In most cases, this problem makes it impossible to reliably automate many of the processes required for software security, such as producing a software bill of materials (SBOM).

**Why Finding Vulnerabilities in the NVD is Hard**

To understand the scope of the problem, consider the following six conditions that make it extremely difficult, if not impossible, to search for component and product vulnerabilities in the NVD, due to its reliance on CPEs as the sole identifier.

1\. Vulnerabilities are identified in the NVD with a common vulnerabilities and exposures (CVE) number, e.g., "CVE-2022-12345," and the Common Vulnerability Scoring System (CVSS) is used to assign a threat level to each CVE. A CPE is typically not created for a software product until a CVE is assigned to it. However, many software suppliers have never reported a vulnerability (which would generate a CVE), so a CPE has never been created for the product in the NVD. 

This is not necessarily because the products have never had vulnerabilities, but because the developer may not have reported any existing vulnerabilities to the NVD.

As a result, an NVD search will yield a "No matching records" response in both of the following scenarios: 

(i) a vulnerability does not exist in a given product

(ii) a vulnerability exists but has never been reported by the developer

2\. Since there is no error checking performed when a new CPE name is entered in the NVD, it is possible to create a product CPE that does not follow a consistent naming convention. As a result, when a user searches for the product using the properly specified CPE, they will receive a "There are 0 matching records" error message. This is the same message they would receive if the original (off-specification) CPE name were used but there were no CVEs reported against it.

When a user receives this message, it could mean there is a valid CPE for the product they're searching on, but a CVE has never been reported for that product, but it could also mean the CPE they entered does not match the CPE in the NVD, and that there are, in fact, CVEs attached to the (off-specification) CPE name submitted to the NVD.

The "There are 0 matching records" error message could also result if a user misspells the CPE name in the search bar. In this instance, the user would have no way of knowing that the message was generated by a typo, and instead could assume the product has no reported vulnerabilities.

3\. Over time, a product or supplier name may change due to a merger or acquisition, and the CPE name for the product may change as well. In this case, if a user searches for the original CPE, not the new CPE, they would not learn about new vulnerabilities. As before, they would receive the "There are 0 matching records" message.

4\. This also applies for different variations of supplier or product names, such as "Microsoft" and "Microsoft Inc.," or "Microsoft Word" and "Microsoft Office Word," etc. Without the exact correct supplier or product name, an NVD search will yield incorrect results.

5\. The same product can have multiple CPE names in the NVD if they are entered by different people who each use a different iteration. This can make it virtually impossible to determine which name is correct. To make matters worse, if CVEs have been entered for each of the CPE variants, this will result in their being no "correct" name. One example is OpenSSL (e.g., "OpenSSL" versus "OpenSSL Framework"). Since no single CPE name contains all the OpenSSL vulnerabilities, users must search separately for each variation of the product name.

6\. In many cases, a vulnerability will only affect one module of a library. However, since CPE names are assigned on the basis of products, not the individual modules they contain, users need to read the full CVE report to determine which module is vulnerable. If they don't, this can result in unnecessary patching or mitigations, like when a vulnerable module is not installed in a software product being used but other modules of the library are.

Fortunately, a cross-industry group called the SBOM Forum that includes members of OWASP, The Linux Foundation, Oracle, and others are working on the problem and have developed a proposal to improve the accuracy of the NVD with a focus on modern, automated use cases.

The group's recommendations, including the adoption of a package URL (purl) for software and GS1 Standards for hardware, are designed to create a standardized way to reliably query the NVD and receive accurate information on vulnerabilities.

How Naming Can Change the Game in Software Supply Chain Security

Security leaders also need to take a more holistic approach to addressing supply chain risks, company says in new research report.

Organizations should implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity, advocates Google — after the tech giant did a deep-dive into best practices for securing the software supply chain. 

In a report out on Dec. 9, Google laid out several recommendations for bolstering supply chain security, including the need for organizations to take on more direct responsibility for open source software, and taking a more holistic approach to addressing risks such as those presented by the Log4J vulnerability and the SolarWinds breach.

Google's report on software security is the first in a new "Perspectives on Security" research series that examines emerging security trends and how to address them. The report's release comes on the second anniversary of the SolarWinds breach disclosure, and its recommendations are based on Google's analysis of that incident as well as numerous other software supply chain breaches since then. Those include incidents at Codecov, Kaseya and those involving public code repositories such as PyPI.

The breaches have made software supply chain security a top item on the enterprise IT agenda. A recent report from Mandiant identified supply chain compromises as contributing to 17% of all intrusions in 2021, up from less than 1% just a year earlier. Supply chain issues were, in fact, the second most frequent initial intrusion vector after software vulnerability exploits in 2021.

**Two Main Takeaways for Security Decision-Makers**

"There are two main key takeaways from this report that enterprise IT and security decision makers should consider that will help them securely build and verify the integrity of software," says Royal Hansen, vice president of engineering at Google. 

The first, as mentioned, is that security leaders need to focus on adopting a more holistic approach to strengthen defenses against software supply chain attacks: "Organizations should also implement the SupplyChain Levels for Software Artifacts (SLSA) framework to ensure the security community mitigate threats across the entire software supply chain ecosystem," he says.

SLSA (pronounced "salsa") provides software developers a cadre of controls and practices to ensure software security and integrity during the entire software development life cycle through production. One of its key goals is to give organizations a way to prevent and detect tampering of the sort that happened at SolarWinds, where an adversary inserted malicious code into — and distributed it via — a signed software update.

SLSA is a prescriptive checklist, meaning it spells out the steps that organizations need to take. That includes, for instance, verifying the provenance of all open source and third-party components in their software, and for ensuring there's been no tampering with the software. 

Among other things, it also requires that organizations retain source code indefinitely and have the ability to verify the integrity of their software with tamper-proof provenance information.

Google perceives the SLSA framework as allowing organizations to optimize the benefits of things like a software bill of materials (SBOMs), i.e., a list of all the components in a particular piece of software.

**Assuming More Responsibility**

One of the other keys to bolstering supply chain security at an industry level is for organizations to secure their own open source and proprietary software supply chains, Google said.

This means ensuring that all software they build or acquire from other sources implements baseline security standards and controls. As an example, Google pointed to the Minimum Viable Secure Product (MVSP) requirements for enterprise-ready software that it developed in collaboration with several other companies, including Okta, Salesforce, Slack, and Venafi.

MVSP is a checklist of baseline security controls that a software developer must implement, at a minimum, to ensure a reasonably secure product. The checklist includes things such as whether the software vendor or publisher publishes vulnerability reports, conducts self-assessments and external testing, and implements practices such as SSO, HTTPS, and security headers.

Software purchasers can use the baseline to assess whether a product meets those requirements, while larger companies can incorporate MVSP as their standard questionnaire when triaging the security posture of their third-party software suppliers, Google said. Procurement teams can include them in requests for proposal (RFP) documents and use it as security baseline for vendor selection, Google said.

Hansen says security leaders and practitioners can also take other measures to bolster software supply chain security. "Findings from the report suggest a need for a more thorough understanding of software supply chain networks, identification of potential risks and implementation of risk-mitigation plans, and the establishment of security requirements for software procurement," he notes.

Security organizations can play a role as well by, for example, funding the Open Source Security Foundation (OSSF) and the open source software project maintainers who find and fix security vulnerability in open source code, Hansen says.

Source

DARKReading